We have enabled Adaptive MFA and customise it through actions. We have noticed that we get the riskAssessment object during username-password login (PKCE) via Auth0 login dashboard. But we do not get riskAssessment object during refresh token login (Success Refresh Token Exchange). In fact, the authentication object is absent in the event. Can someone confirm that the riskAssessment only happens during Username/Password login via Auth0 login page. And does not happen for refresh_token login and ROPF logins.
Welcome to the Auth0 Community!
Thank you for posting your question. The behaviour you see is expected, as risk Assessment is only run in the interactive flow. Refresh token exchange and ROPG are non-interactive flows, so they don’t run the Risk Assessment.
Thanks!
Dawid